[dejanseo]

Hi everyone! I did this. It was just a random cool idea I wanted to try. It worked a little too well and I quickly moved it to a disposable site to test if the page will get penalised by Google. I got busy with other things and forgot about it. When I bumped into it again I decided to write about it, for two reasons: 1) To me it's hard to believe that Chrome would allow for this to happen in the first place and 2) that Google wouldn't penalise a site doing this. Well, since the story was published Google tracked down my test page (most likely by using the source code I revealed on my blog) and completely de-indexed the whole domain.

[3eto]

You did good by publishing this. I've seen that you're updating your blog post based on what people are saying here, you don't have to do that, you don't have to answer to people attacking you on a forum.

What you have exposed has the potential to affect a large number of Google users and unfortunately the community has chosen to attack you over attacking Google.

Which could say a lot about the state of the community. So thanks again for bringing this vulnerability to our attention.

[AndrewKemendo]

you don't have to answer to people attacking you on a forum

Maybe you don't feel like you have to, but I can tell you from experience, that when an entire community of your peers piles on to you, there is a significant emotional response that you're being rejected. That's just my personal experience, but it seems pretty common to want to respond when those you respect and work with (or might work with) respond negatively to your work.

[superasn]

It's sad that everyone is being so harsh to you just because you decided to post about a vulnerability that who knows thousands of other people are quietly exploiting for their own benefit. If anything I am happy that instead of trying to misuse it or keeping it a secret you made it public knowledge so that there can be something done about it.

Yes you could have handled it more appropriately and you probably will in the future too. I just don't understand the harsh attitude and all this legal nonsense and insults being hurled at you for no big reason.

[shawn]

Howdy, former Matasano pentester here.

FWIW, I would probably have done something similar to them before I'd worked in the security industry. It's an easy mistake to make, because it's one you make by default: intellectual curiosity doesn't absolve you from legal judgement, and people on the internet tend to flip out if you do something illegal and say anything but "You're right, I was mistaken. I've learned my lesson."

To the author: The reason you pattern-matched into the blackhat category instead of whitehat/grayhat (grayhat?) category is that in the security industry, whenever we discover a vuln, we PoC it and then write it up in the report and tell them immediately. The report typically includes background info, reproduction steps, and recommended actions. The whole thing is typically clinical and detached.

Most notably, the PoC is usually as simple as possible. alert(1) suffices to demonstrate XSS, for example, rather than implementing a fully-working cookie swipe. The latter is more fun, but the former is more impactful.

One interesting idea would've been to create a fake competitor -- e.g. "VirtualBagel: Just download your bagels and enjoy." Once it's ranking on Google, run this same experiment and see if you could rank higher.

That experiment would demonstrate two things: (1) the history vulnerability exists, and (2) it's possible for someone to clone a competitor and outrank them with this vulnerability, thereby raising it from sev:low to sev:hi.

So to be clear, the crux of the issue was running the exploit on a live site without their blessing.

But again, don't worry too much. I would have made similar errors without formal training. It's easy for everyone to say "Oh well it's obvious," but when you feel like you have good intent, it's not obvious at all.

I remind everyone that RTM once ran afoul of the law due to similar intellectual curiosity. (In fairness, his experiment exploded half the internet, but still.)

[dejanseo]

Thank you, I did mess up and wish I could take it back. To everyone bashing on me, I'm truly sorry to offend so many people. That was not the intention. This was purely as you describe it, intellectual curiosity.

I really appreciate your comment and hope it's OK that I added it here: https://dejanseo.com.au/competitor-hack/#shawn

[shawn]

The good news is, if you're ever interested in a career as a pentester, this is an excellent portfolio piece. :) (Really!)

Also, don't worry too much. I think everyone knows your heart was in the right place, and ultimately that counts for something.

[bqe]

Don't let it discourage you. It was a really cool finding. I've done everything right before when it comes to disclosing bugs, and I've still had people dumping on me.

You should consider security as a second career if you ever get bored with marketing.

[eadmund]

> So to be clear, the crux of the issue was running the exploit on a live site without their blessing.

Well, he wasn't running it on someone else's site, right? All the code ran on his site, so at worst he was guilty of trademark infringement or — if he copy-pasted HTML or rendered the same text — copyright infringement (which he could have avoided by just being a proxy to them, I think).

Or did I miss something? It doesn't sound like he did anything to other sites themselves.

[shawn]

Ah, you’re right of course. I should have been more clear.

To the author: an alternate ending to this story could have been “competitor found out; flipped out; forwarded this to their legal department; your next two years are very unpleasant, even if the lawsuit ends up settled.”

That’s the main reason why you want to get permission and make everyone aware before doing this.

Here’s a small example: at Mtso a coworker had been running a netpen against a certain well known company. They managed to pivot into their network and eventually onto dev workstations. Last I heard, they were grepping through devs’ home dirs looking for admin keys and such, to see how far they could go.

The difference between that situation and this, is that at every single step of the way, Mtso was in constant contact with the target company and the higher ups knew exactly what was happening as it happened. The target company wanted to know how far we could get. After all, that’s what they were paying for.

(Red teaming is even cooler — it’s that, but breaking into buildings.)

But when you’re an outsider, you don’t have any institutional protection. So it’s doubly important to follow standard procedures (see Hacker One for examples).

I thought of a rule of thumb: if you’re getting information from a PoC that might benefit you / your business, it’s not merely a security PoC anymore. It’s an active exploit that you’re benefiting from.

But again, it’s an easy mistake to make without thinking carefully.

[onychomys]

For those of us who aren't familiar with the story, the RTM exploding the internet reference is this:

https://en.wikipedia.org/wiki/Morris_worm

[Herrera]

Interesting... I reported a variation of this issue to Google back in 2015 and they said they weren't "concerned about the premise of the attack in the bug description. You can always make the back button go to a page under your control by doing a second navigation, e.g., with pushState".

[Myrmornis]

> But again, don't worry too much. I would have made similar errors without formal training.

Do you have any idea how patronizing your tone is?

[shawn]

Nope!

(I meant formal security training, FWIW. Also I know that feeling of "Oh boy, I just pissed off the internet, didn't I?" and wanted to remind him it'll blow over soon. It's not a huge deal, and he'll come out of it with +reputation.)

[UncleMeat]

Back button hijacking has been known for ages. This isn't increasing anybody's security posture. There might be a bit more slack if this was actually new.

[deckar01]

As a person who has wasted a lot of time trying to convince Google that a vulnerability is worth fixing, I have no sympathy for them finding out about a vulnerability via a public disclosure like this. They probably would have spent weeks/months failing to understand the implications of the vulnerability only to have the report closed with an auto generated response about phishing not being considered a vulnerability. Keep thinking like an attacker and sharing your findings. It is the best way we can make software more secure.

[code_duck]

I don’t think anyone is objecting to what you did as much as how you did it, and how you seem to be proud of flagrantly abusing your ability to duplicate other people‘s intellectual property. I’m hardly a champion of copyright laws or IP in general, but running duplicates of someone ese’s site feels completely wrong to me without thinking twice. Like the suggestion from the pen tester here, which you posted on your blog, this would be a lot different if you had written the article about conduct that seemed professional, respectful and legal.

[aaaaaaaaaab]

How is it different from archive.org snapshots from an IP perspective?

[code_duck]

Great question. How about we invert that, and you tell me what IP laws justify operating a functioning duplicate of someone else’s entire website, full of copyrighted and trademarked content, for the benefit of your business?

By this logic, I could duplicate any website in the word and operate a copy for my private business. While I am not a lawyer it seems clear that this is not legal (and as if this is the first time the concept occurred to someone!)

I assume archive.org falls under Fair Use. Check these guidelines.

https://tinytake.com/screen-capture-copyright-violation-or-f...

Duplicating your competitors website for analysis to benefit your business fails the first condition. If it were academic research or some sort of public benefit, that’s different than for-profit republishing for your SEO business.

[pakitan]

Is Chrome the only browser this trick worked on?

[TekMol]

Copying someone elses site and tricking their users to use your copy is a copyright violation and fraud. Nothing cool about it.

[tomp]

Copyright violation? You're literally just "archiving" their website. Exactly the same as Google are doing themselves.

[detuur]

No, you're not just "archiving". Besides the point that archiving itself is already in a legal grey zone, at the very least it has the defence that it presents the website unmodified, in exactly the same state for no other purpose than showing the web as it used to be. Like file-sharing websites, archive websites rely on the fact that it's an automated process and they can continue to host anything until they get a DMCA takedown. Not to mention organisations like Archive.org are literally run by librarians which gives their argument of preservation a lot more weight.

When you're stealing assets and adding your own tracking code, you're transforming the work, which is a definite no-no for copyright and trademark law. Not to mention that by intercepting traffic which was meant for a competitor you're literally interfering with their business and risk fraud charges.

[mattmanser]

No, you're using their content to gain financially, and in this instance, at their expense. And that's putting aside all the other possible counter-arguments, of which there are many.

I'm no fan of long copyrights, etc., but in this case to me it's a clear cut case.

[stef25]

It's a POC with no intention other than seeing if it would be possible, isn't it?

[p49k]

Except for the part where he said he moved the code to another site five years ago where it has been running since and even ranks highly for some search queries? Unless I’m misreading that paragraph.

[rkangel]

While that might mean that it's OK ethically (I'm not sure either way), that doesn't make a difference legally.

If you go and pick the lock of a random house in your city and get caught by the police, I very much doubt that the defence "I was just doing it to see if I could" is going to help you.

[treerock]

If you didn't steal anything, what would the charge be?

[wongarsu]

If you get caught while doing it you would likely be charged with attempted burglary. It's up to you to convince jury/judge that you didn't intend to steal.

If you only get caught after leaving the premises it is trespassing, since it's apparent you didn't steal. Picking a lock in order to trespass might make the sentence a bit harsher than normal.

[code_duck]

So anyone can just come walk around inside your house without your permission, and you think it’s legal and no problem as long as they don’t take anything? I could see that being the perspective in another culture but it certainly isn’t how the US works.

[stef25]

> you think it’s legal and no problem as long as they don’t take anything

Not only that, they can move in!

Here in Belgium a young couple left the country to do volunteering work only to hear from friends back home that gypsies had squatted their house. Official reaction of the mayor of Ghent was "I can't do anything about it ... it's complicated"

Obviously breaking & entering is a crime but if you're "living" there, only the courts can kick you out after following all the necessary legal steps.

UK has (had) similar squatting laws but afaik those were mainly (ab)used in the 90s to throw parties in abandoned warehouses.

[close04]

Breaking and entering or trespassing at the very least.

[rkangel]

Breaking and entering. Trespass.

[dejanseo]

Not the first time either. Every now and again I get an interesting idea, test it and share it with the world. The test that was left forgotten had no commercial impact on anyone and very low traffic.

[talltimtom]

Your right he did the ethical right thing and informed the sites he’s spoofing, and informed the users he tricked. And he only ran it for a limited period to prove it was possible... Oh no wait he did none of those things. This is not a POC, it’s just a guy running an exploit for five years who thought he did nothing wrong because “If i shouldn’t be allowed entry, they should have used a better lock!”

[falcor84]

It's also a big trademark violation, right?

[code_duck]

I would say copyright violation.

[falcor84]

Yeah, copying the content is definitely copyright violation. But I meant to say that by hosting these sites, the developer could also get sued for attempting to conduct business under the trade name of another entity. And that includes, in particular, hosting that fake Google SERP.

[3eto]

What's not cool at all is the fact exposed here that Google lets anyone trick their users.

[mosselman]

Your statement is far too broad and lacks context. Where is this a violation and where is it considered fraud? There must be some countries where this isn't the case or at least where the article and non-commercial use of the technique are considered to be mitigating circumstances.

Also, who doesn't find it cool? You don't seem to be saying that what is described in the article isn't cool, you seem to be making a broader claim that copyright violation and fraud aren't cool.

Lets assume you find what is described in this article copyright violation and fraud, because after all, you said it is. Apparently some people on HN find what the author has done cool, judging by the comments. Ergo, some things that you, specifically, consider 'copyright violation and fraud' are in fact cool.

[fabricexpert]

He copied Google's SERP page, AND copied all of his competitors websites. That's definitely copyright infringement, you'd be livid if you were a competitor, and as a user you'd be pretty annoyed.

It's still an interesting hack, so good to see it being talked about. But it is not ethical and definitely illegal in almost any jurisdiction.

[EdwardDiego]

Copyright infringement is a civil case in almost any jurisdiction, not a criminal case.

The USA is a notable exception, perhaps due to the vested interests with deep pockets.

[fabricexpert]

A civil case you would lose though.

[jakoblorz]

Just to be clear: you do not endorse copyright infringement for the sake of being cool, do you?

[mosselman]

I believe much of modern copyright law in Europe but especially the US is broken, but in general I don't find crime cool, nor do I find 'cool' a justification in itself to do certain things. Not all laws are sacred though.

I was merely reacting to broad nature of the claims in parent comment. There is a world beyond the US and Europe, laws are not universal truths, they are a representation of what we have come to agree upon as rules to play by. In copyright law specifically though there is often a chasm between what the people find good rules and what companies find good rules. But that is a different discussion.

[zepolen]

I guess you don't put locks on your home because you have a 'dont come in' sign on the door right?

[technotarek]

I'm curious, how did you generate your content for the spoof SERP page? Was it dynamic to somehow reflect the content of the user's original SERP page (which could be subject to the user's location, browsing history and other factors in G's algorithm)?

[Improvotter]

Thanks for publishing this. I guess that's not said enough with all of the butthurt people here.